There are numerous sensor products available on the market today that provide network event and security reporting. For example, many firewall, intrusion detection system (IDS), server, switch and router products have the capability to log and present network events to a network security administrator. In general, the network event log from such devices is non-standardized and unique to the product manufacturer. Therefore, there is no centralized presentation or reporting capability for these products. Instead, the network event record and any detected security alerts must be viewed with the user interface of each individual device hosting the product to determine the nature of any security incident. It would be desirable to provide a network security system, apparatuses, methods, and articles that provide the capability of accepting network event data from different sensors, and generating a uniform, integrated presentation from the event logs of multiple products. This would provide a network security administrator with a unified and readily comprehensible view of a network event or series of events that represent an attack on a network resource, even though the reported network events may originate from different types of sensors.
Although many firewalls, IDSs, servers, switches, routers or other sensors may have the capability to detect an event representing a possible security incident, there is no known effective way to rate the severity of a network attack. An ′attack′ can be in the form of a network intrusion event, unauthorized access to or use of a network resource, damage or destruction of a network resource, or a denial-of-service attack. Regardless of the form of an attack, existing security products cannot generally rate the severity of an attack, particularly one involving multiple devices. For example, the destination of the attack may be a network resource that is particularly vulnerable to attack or whose impairment or loss would greatly impact the ability to use the network. Alternatively, a particular source of attack may pose a greater danger than others. For example, if the source of the attack is a person known to have attacked a network in the past, then the attack may be considered to be more severe than other attacks. It would be desirable to provide a system, apparatuses and methods that can rate an attack according to its severity.
In a network security system, numerous devices may be reporting security events or incidents. If numerous attacks are occurring simultaneously, the network security administrator must generally rely upon experience to determine the security events posing the greatest threats. It would be desirable to provide a system, apparatuses, methods, and articles that provide a more exact assessment of the comparative risk associated with network attacks relative to human reckoning. Using this capability of the system, apparatuses, methods and articles of the invention, an attack can be detected and assessed more quickly as to relative severity, allowing a network administrator to allocate security resources to those attacks most requiring attention.
With existing network security products, as previously mentioned, there is no integrated approach to evaluating or correlating events from different sensors to detect and generate an overall assessment of the threat level posed by a network attack or series of attacks. Moreover, there is no way to customize such an integrated network security system to reflect existing network realities to generate threat level data or alerts based upon criteria or rules set by the administrator. For example, if a network has only one web server with no back-up capability and many users are known to require access to the World Wide Web in the performance of their work functions, then a network administrator may rate an attack on the web server as particularly threatening. It would be desirable to provide a network security system, apparatuses, methods, and articles with the capability to adjust threat levels associated with certain attacks customized to the nature of the network and its devices in a particular implementation. Moreover, it would be desirable to permit the network administrator to set the threat level and/or logic resulting in generation of alerts associated with network events to provide automated detection of security incidents.